Tuesday, 29 December 2009

Every start-up has a story. This is the story of Totlol. Because I did everything myself, it is also the story of almost two years of my life. It's the story of a flourishing service into which I put tons of work. It's the story of site for which I had high hopes. It's the story of how things unfolded when it has fallen into a trap set up by Google.

What?

A trap? Set up by Google?

Yep. It works in the following manner:

Google releases a public API. They watch what third-party developers do with the API and modify the Terms of Service (ToS) for that API in a way that prevents breakthrough potential. Google may then move to offer a similar service based on their platform rather than the API.

Unbelievable?

I thought so too. Until I experienced it first hand.

Read on.

Act one - I build a website

My son, now four, has been a YouTube user since the time he was about 10 months old. Not his fault. He'd crawl into the office, I'd point the browser to show him something interesting. I had 'online video' and 'kids' in my head for a while and in early 2008 I decided I'll make my ideas a project.

The very first prototype of Totlol had an upload button and no YouTube integration. When it was done I contacted a content creator with a good YouTube presence and showed it to them. The response: 'Great idea for a site' but 'we have limited resources when it comes to distributing ... so our participation isn't a sure thing.' They never uploaded. I got replies along the same lines from others I contacted.

That was not good.

Then I thought about YouTube a little more. When uploading to YouTube, content creators give an implicit right to distribute. They don't want to be bothered again. I figured that if I empower a community to sort what has already been uploaded it will have a chance of succeeding. The YouTube APIs provided the right tools.

I launched the first version of Totlol publicly on May 11, 2008. It introduced the concepts of community participation and video pre-screening and was very well received. With that feedback at hand I made a bold decision. I decided to commit to the project and make it a start-up. Making an even gutsier move I submitted an application for the TechCrunch 50 start-up competition. Then I went to work on building what I just promised to deliver in three months.

On June 16, 2008 I received, via Totlol's contact form, a message from Stephanie Liu, currently a Developer Technical Programs Manager at Google and back then part of the YouTube API team.

It said:

'I saw some blogs / articles about the site, and think it's a great example of how to use the APIs :) I'd like to feature the site on code.google.com'

We had a short discussion and finished exchanging information and files on the 18th. Then there was silence and what seemed like a couple of weeks have passed. Finally an e-mail arrived:

'Sorry for the delay -- Totlol is currently on the featured project widget on code.google.com and code.google.com/apis/youtube'

Delay? That happens. I said 'Really, really, really thanks' and went back to work building stuff.

Act Two - They change the terms

The interest in Totlol was not coincidental. It was one of the first to use tools provided as part of a major YouTube API upgrade done a few months prior. That upgrade also introduced a whole new set of ToS dated March 10, 2008. It is a boring document but I actually read it very carefully several times before starting to work on YouTube integration.

Though newly published less than four months prior, Google found it necessary to make a small update to the YouTube API ToS on July 7th.

A new restriction on commercial use was introduced:

'the sale of advertising, sponsorships, or promotions on any page of the API Client containing YouTube audiovisual content, unless other content not obtained from YouTube appears on the same page and is of sufficient value to be the basis for such sales.'

The tangled wording is specifically restrictive for sites where the main use case is watching videos. Such sites are navigated mainly by jumping from one video to the other. The occurrences of a page views in which there is no audiovisual content are random and far-between. Getting sponsorship under these terms would be ridiculous. Advertising revenue would be practically non-existent.

There was no announcement of the ToS change. It wasn't in the blog and though I've later looked in the Developer Forum archive, I could not find one there either.

Within two months of launching publicly, the legal walls that would later trap me have been erected. But no one told me.

By September I had a Beta and though I didn't make the cut for the TechCrunch 50, I moved on with enhancements. AgeOptimizer came in October. OAuth linked YouTube accounts came in January. By April I brought Totlol to the iPhone. It became an Apple featured Web App and I got another nod of approval when the site became a Webby Awards Official Honoree. The backend was finally stable. Usage was growing nicely. People really liked it.

Then, as I was ready to make a business move, I looked at the ToS again. They changed. I read them carefully and, oops, something was wrong. There was a new commercial use restriction.

Boom. I've hit the brick wall.

Act Three - Trapped

What can one do? I didn't know when the ToS changed nor the context in which it was done, but, I'm an optimist.

The commercial use restrictions set in the ToS do say that there may be exceptions if one can 'obtain YouTube's prior written approval'. With that in mind I went to Google I/O, the annual developer conference.

At the conference I met Kuan Yong, Sr. Product Manager at Google and as far as I knew, the person responsible for the API. He was about to give a presentation titled Best Practices for Writing Great, Monetizable YouTube Apps. I said 'hi' and sat down.

I thought Totlol was great, others thought Totlol was great and I knew the API team at YouTube thought it was great. I was hoping to see how it would be presented. It wasn't. It felt awkward. Bizarre. At least Kuan was kind enough to acknowledge Totlol and me verbally.

After the presentation was done I caught up with Kuan, we had a chance to chitchat and I popped the question. Sort of.

I didn't ask Kuan to allow me something specific. He couldn't do it anyway without consulting others. Instead I asked for help in finding a brand sponsor and demonstrated how Totlol will look with sponsorship in place.

After a few days and some e-mail exchange I got a clear message:

'I recommend that you do what all other websites do'.

I was trapped.

I basically had three options: I could leave things as are and have no business, I could intentionally violate the ToS and be at Google's grace or I could modify the site to circumvent the way the ToS were worded, sacrifice the user experience and hope to satisfy a sponsor. I didn't like my odds, my business plan was in ruins and generally speaking there is no point shouting at the rain.

At 2 AM, the morning of June 5 I posted a message on the site saying that it will close by the end of the month.

This is where things should have ended. But they didn't.

Act Four - You want to do what?

Friday, June 5 was e-mail day. TechCrunch did a story and the messages started flowing in. Among them was one from Hunter Walk, Director of Product Management at Google.

It was titled:

'From YouTube: brainstorming about what features you'd need on-site to recreate TotLol experience'

He said:

'I lead the product management team for the consumer experience at YouTube.com'

He stated:

'My goal is that eventually i'd like to support lots of successful vertical experiences such as yours w/in the site in addition to outside the site.'

He asked for my 'expertise' and he followed with some fairly specific questions.

I felt uneasy.

There was e-mail exchanged and then a meeting at a Starbucks in San Bruno. Hunter arrived at that meeting with a block of paper and pen. He was ready to take notes and he again asked very specific questions, some I dodged, some I answered. As a follow up to that meeting I clarified that I was at a 'stop loss' situation, pointed that they control the terms and hence control Totlol's future and offered my time under other arrangements if they are interested.

Within two days I had a reply. The mail contained some sentiments, vague hopes for the future and a lot of words. It also included this:

'Ultimately our role in the developer community is to provide technical guidance, promotional support and to ensure developers have a voice in the direction of our API roadmap. As a platform, we need to stay agnostic from the business-side of that equation.'

I wasn't sure what 'agnostic' meant so I checked. At the time, Hunter knew when and why the ToS were changed. I didn't know, he didn't tell me, and agnostic he wasn't.

Game over. Right? Nope.

Act Five - Not to die.

In the flood of e-mail that followed the closing announcement was something interesting. One user offered to make a donation, another said she'd like to pay a monthly fee, then another and another. A content creator wrote and said he was 'proud' to be on the site. People didn't just like Totlol. They loved it.

It was time not to die.

Anyone familiar with online marketing knows that converting site visitors into paying members is a monumental task. The numbers are brutal and this was to be the easy part. Google has published an adjacent document to the ToS, called Using the YouTube APIs to Build Monetizable Applications. If the ToS are walls, this document is like the barbed wire and warning signs that prevent you from even thinking of getting close to the wall.

The odds were still against me, but I was a year in the red and something is better than nothing. I decided I'd give it a try.

For the first time in my life I built something according to lawyers' guidelines not users' wishes. This is how the current set-up of Totlol came to be. This is why users are nagged. This is where the wording at the about page came from. I notified Hunter requesting that if Google is to object they'll do it sooner rather than later. There was no reply so I enabled fee requests.

Totlol users are serious people and Totlol is a serious full-featured web application. Now, supported solely by members it is still trapped, still can't breakthrough, but it is alive. It is a shining example for the true potential of YouTube and is one of, if not the, best YouTube powered website out there.

So they lived happily ever after. Yah, right.

Act Six - WTF?

Over the past couple of months I have checked YouTube API ToS at archive.org a few times but all they had was the March 10, 2008 version of the API ToS. This version obviously differs from the current version dated April 8, 2009 but it offers no indication as to how and when things changed.

Then in November archive.org updated.

I clicked the stored versions one by one and there it was, a ToS update dated July 7, 2008 . I compared it to the original and...

WTF?

On July 7?

That was way earlier than I thought! There was no major YouTube change at the time! That was at the time when I was working on the beta! That was like when...

I looked up an old e-mail thread. There it was, the old e-mail from Stephanie Liu. The one with the apology for the delay.

It said:

'Sent: Monday, July 07, 2008 4:50 PM'

I actually felt my stomach turn.

Curtain - The six inches in front of your face

I contacted Hunter. I contacted Kuan. I contacted Stephanie. I even sent an e-mail to legal@google.com

Stephanie 'can't remember exactly' what the reason for the delay was. Her 'memory is hazy'. These are direct quotes in case you wondered. Kuan won't answer a simple question regarding his own I/O presentation. I guess he doesn't want to lie. If replying, Hunter emits random legal verbiage. The person who actually made the decisions is courageously hiding behind them.

So, let's sum things up. This is what happened:

When the YouTube API team saw Totlol they liked it. At about the same time someone else at Google saw it, realized the potential it, and/or similar implementations may have, and initiated a ToS modification. An instruction was given to delay public acknowledgement of Totlol until the modified ToS where published. Later an instruction was given to avoid public acknowledgement at all.

Why?

I think the simplest explanation may be the correct one. As Hunter stated very clearly - they have a goal. They also have a method that works. With some cover-up, silence and amnesia they almost got away with it.

What should I do about what has happened?

I really don't know, but maybe you do. Here is the contact form. Use it as you like.

As for the future, following instructions from my wife, I'm looking for a job. Not a project or a start-up idea. A job, preferably with a stable, innovative and honest internet related company in the San Francisco Bay area where we currently live. I have a diverse skill set and I pay great attention to details. You may use the contact form for that too if relevant.

Monday, 28 December 2009

Today, DHS's Napolitano's response to the crotchbomber: 'We're looking to make sure that this sort of incident cannot recur.' But the TSA's response to Abdulmutalib's attempt makes one thing clear: We must stop pretending the TSA is making us safer.

Security expert Bruce Schneier nails the core incompetency: 'For years I've been saying 'Only two things have made flying safer [since 9/11]: the reinforcement of cockpit doors, and the fact that passengers know now to resist hijackers.''

So what has the TSA done in response to the attempted attack? They've told airlines to make passengers stay in their seats during the last hour of flight. They've made it verboten for passengers to hold anything in their laps, again only during the last hour of flight. Perhaps most hilariously telling, they've forbidden pilots from announcing when a plane is flying over certain cities and landmarks.

There is no other way to interpret it: The TSA is saying clearly that they can't prevent terrorists from getting explosives on airplanes, but by god, they'll make sure those planes only explode when the TSA says it's okay.

I want our government to prevent terrorism and to make flights safer. But we are spending billions of dollars and man-hours to fight a threat that is less likely to kill a traveler than being struck by lightning. In the last decade, according to statistician Nate Silver, there has been 'one terrorist incident per 11,569,297,667 miles flown [the] equivalent to 1,459,664 trips around the diameter of the Earth, 24,218 round trips to the Moon, or two round trips to Neptune.' (Sadly, this does mean that in the future we can expect one out of every two round-trip flights to Neptune to be hijacked.)

The TSA isn't saving lives. We, the passengers, are saving our own. Since its inception, the TSA has been structured in such a way as to prevent specific terror scenarios, attempting to disrupt a handful of insanely specific tactics, while continuing to disenfranchise and demoralize the citizens who are actually doing the work that a billion-dollar government agency—an agency that received an additional $128 million just this year for new checkpoint explosive screening technology—has failed to do.

We just had the first legitimate attempted attack in years, and the TSA changes the threat level from orange...to orange.

This goes far beyond simple customer satisfaction issues like 'Take Back Takeoff.' (Although they are of a kind.) It has to do with wildly irrationally response of a government agency in the face of failure. An agency whose leader, Secretary of Homeland Security Janet Napolitano, said at first blush that the attempted attack showed that—here comes the Katrina-class foot-in-mouth—'the system worked.' (She shoveled shit in her mouth this morning, while still talking up the asinine new measures that the TSA will be taking to respond to this isolated threat.)

I don't want to die on an airplane. I don't want to die in my home while eating an organic bagel infested with parasites that lay eggs on my liver. I don't want to die from starvation or bad water or a thousand other things that I pay our government to monitor and regulate.

But I also don't expect the government to protect from the literally endless possibilities and threats that could occur at any point to end my life or the life of the few I love. It's been nearly a decade since terrorists used airplanes to attack our country, and last week's attempt makes it clear that the lack of terrorist attacks have nothing to do with the increasing gauntlet of whirring machines, friskings, and arbitrary bureaucratic provisions, but simply that for the most part, there just aren't that many terrorists trying to blow up planes. Because god knows if there were, the TSA isn't capable of stopping them. We're just one bad burrito away from the TSA forcing passengers to choke back an Imodium and a Xanax before being hogtied to our seats.

President Obama, don't let this attack—this one attack that was thankfully stopped by smart, fearless passengers and airline staff—take us further in the wrong direction. I don't think I'm alone in feeling this way. Americans of all stripes and affiliation standing up to say, 'This isn't working. We gave you our money. You're not making us safer.' We appreciate the attempt to make us safer and acknowledge that it came from an honest attempt to protect American (and the rest of the world's) lives.

But it's a failure. It's wrongheaded. It's a farce. Tear it down. Put the money towards the sort of actions at which our government excels, like intelligence. The failure of the TSA leaves us no choice, but it's okay. The American people are ready to take back the responsibility for our own safety. Really, we already have.

Monday, 14 December 2009

I’ll tell you something — I’m really blown away by the way people have responded to AT&T’s bastardly behavior over bandwidth usage. Our engineers are friggin livid. And, because they’re engineers, which means they’re basically evil little pricks, they’ve come up with a plan to teach AT&T a lesson. They’re calling it Operation Chokehold. Last night I got this email that they’ve been sending around inside Apple, encouraging people to join the crusade:

Subject: Operation Chokehold

On Friday, December 18, at noon Pacific time, we will attempt to overwhelm the AT&T data network and bring it to its knees. The goal is to have every iPhone user (or as many as we can) turn on a data intensive app and run that app for one solid hour. Send the message to AT&T that we are sick of their substandard network and sick of their abusive comments. THe idea is we’ll create a digital flash mob. We’re calling it in Operation Chokehold. Join us and speak truth to power!

The engineers have asked me to serve as a kind of communications director for their efforts — soliciting ideas on what apps to use (Pandora may not be the best) and how to refine the attack on the network.

If anyone has ideas, use the comment strings. Tell your friends. Get people involved. We have five days to create a movement and plan a major assault. As the Portuguese said during the Obama campaign: Si, se puede.

FWIW, many of you probably know that Woz and I got our start by selling boxes that hacked the old phone system back in the 1970s. I hate these idiots more than you can imagine. The idea of spanking them like this just gives me tingles all over.

This is Google's cache of http://news.bbc.co.uk/2/hi/programmes/newsnight/8048626.stm. It is a snapshot of the page as it appeared on 9 Dec 2009 13:53:18 GMT. The current page could have changed in the meantime. Learn more

It is the biggest toxic dumping scandal of the 21st century, the type of environmental vandalism that international treaties are supposed to prevent. Now Newsnight can reveal the truth about the waste that was illegally tipped on Ivory Coast's biggest city, Abidjan. A giant multinational is being sued in London's High Court by thousands of Africans who claim they were injured as a result.

The truth behind Ivory Coast toxic waste dump

Our investigation took us to Amsterdam where the waste could have been safely disposed of. Instead the company, Trafigura, went for the cheaper option and offloaded it in Abidjan.Trafigura has always denied that the chemical waste was dangerous, but we have seen an analysis by the Dutch authorities which reveal it to be lethal.We consulted a leading toxicologist, John Hoskins from the Royal Society of Chemistry. He said it would bring a major city to its knees.The waste includes tons of phenols which can cause death by contact, tons of hydrogen sulphide, lethal if inhaled in high concentrations, and vast quantities of corrosive caustic soda and mercaptans which John Hoskins describes as "the most odorous compounds ever produced".A terrible smellIt happened on 19 August 2006 in the dead of night. A convoy of trucks from a newly-formed company in Abidjan arrived to take the waste away. They illegally dumped the first loads at the huge tip in Aquedo.

A powerful stench soon engulfed the area. The tip's operators were called out and the drivers sent packing. They looked elsewhere to drop the waste, tipping it in at least 18 places across the city and beyond.The Aquedo tip stretches as far as the eye can see. As scores of waste trucks tip their loads, an army of Abidjanis cluster around, children amongst them, brandishing long metal spikes. They pick through the rubbish, looking for anything that can be sold.

Deaths

We were soon surrounded by people, only too willing to talk about the night the toxic waste was dumped and the terrible smell that made them gag and sicken.

There were women who miscarried, and that was very painful. But still, the worst was that three people, two adults and a girl were killed by the toxic wastes. That was very hard Esaie Modto, head of Djibli village

Just round the corner from the dump, we met Jean Francois Kouadio and his wife, Fidel.

She had been eight months pregnant with their first child when the fumes swamped their home. Fidel gave birth prematurely and the boy, Jean Claude, died within a day.Their second child Ama Grace was born a year later. She too fell ill.The doctors said that Ama Grace "was suffering from acute glycaemia caused by the toxic wastes".They could do nothing for her and she died.The medical reports state a "strong presumption" that the deaths of the two children were caused by exposure to the toxic waste and Jean Francois and Fidel now fear they will never become parents.Polluted waterWe also visited the village of Djibi, just outside Abidjan. The waste that was tipped here got into the water supply, killing the fish that fed the village.

Thousands of people say they were victims of the waste

The head of Djibi, Esaie Modto, told us that every last person here fell ill, two thousand people:"There were women who miscarried, and that was very painful. But still, the worst was that three people, two adults and a girl were killed by the toxic wastes. That was very hard."So what was it that brought such ruin on a country that in 2006 was still struggling to recover from a civil war?The waste was generated as the result of an oil deal spanning three continents. Trafigura bought a consignment of cheap and dirty heavy oil with a high sulphur content. Instead of putting it through a refinery, Trafigura tried to clean it up, using a do-it-yourself method, so they could sell it on at a massive profit.They used a ship called the Probo Koala which they stationed off Gibraltar as a rough and ready refinery. Caustic soda and a catalyst were added to the oil which reacted with the sulphur and settled to the bottom of the tank. Trafigura were then able to sell the oil, but left with a toxic sludge at the bottom of the tank."Smelly but not dangerous"The Probo Koala went to Amsterdam where they attempted to unload this sulphurous tar as if it were normal ships' waste, which would have cost a few thousand euros.

Watch the 2007 Newsnight interview with Eric de Turckheim, co-founder of Trafigura

However the fumes were so bad, the emergency services were called and the Dutch authorities carried out tests. They discovered the waste was highly toxic and told Trafigura that it would cost half a million euros to dispose of safely.The Probo Koala instead pumped the waste back on board and left port, ending up in West Africa.Marietta Harjono of Greenpeace Nederland says this has led to a prosecution by the Dutch authorities for "falsification of papers - they deliberately were silent on the toxic nature of the waste", as well as for illegal import of toxic waste and "illegal export of toxic waste from Europe to Cote d'Ivoire".When Newsnight first investigated the toxic dumping scandal in 2007 one of Trafigura's founders Eric de Turckheim told Jeremy Paxman "these materials were not dangerous for human beings. It was smelly, but not dangerous."Newsnight's new investigation shows this was far from the case. Trafigura continues to deny any wrongdoing.Read Trafigura's full statementWatch Meirion Jones and Liz MacKean's investigation in full on Newsnight on Wednesday 13 May 2009 at 10.30pm on BBC Two.

Wednesday, 9 December 2009

One company I worked at, some years back now, whose name I've redacted, to save the blushes of the guilty, used public IP addresses on their internal network - a recipe for disaster. With assistance from a good friend, we managed to dodge that particular bullet.

This is even worse :)

Remember when the telephone company came to your house to hook up your phone and gave you a new phone number? This new number was how your friends and family were going to contact you. You counted on the telephone company to ensure that someone hadn't already been issued that number, because if they had, various problems would ensue. What would happen when your mom tried to call your number if it was also assigned to someone else? Could you directly call the other party to work out the problem? Well, in the BGP realm, something similar has been happening with autonomous system numbers (ASNs).

Organizations need an ASN to run BGP and route on the Internet. They are each assigned globally unique ASN(s) by their local Regional Internet Registry (RIR), who get them from IANA. A few weeks ago, the NANOG folks noticed that AS1712 had been registered by two different organizations (in France and Texas) that were both using the number to announce their separate network prefixes. ARIN issued a statement conveying that they were aware of the problem and were working to resolve it. We took at look at the data and found that AS1712 isn't the only dually-assigned ASN out there. In fact, even a root server didn't escape unscathed.